Intel

AIKIDO-2026-552135

napi is vulnerable to Use-After-Free

Use-After-Free Pre-CVE
Found by Aikido Intel before public disclosure or CVE publication.
Published 6 days ago

35

Low Risk

This Affects:

RUSTnapi
2.10.0 - 3.9.4
Fixed in 3.10.0
Are you affected? Scan for Free

TL;DR

The napi runtime routes deferred cleanup of owned Buffer and TypedArray values through a single process-global custom-GC threadsafe function created by the first isolate that loads the addon. Because that path carries no owning env, a value dropped off its owning JavaScript thread under worker_threads has its napi_ref unreferenced and deleted through another isolate's environment, producing a cross-isolate use-after-free on V8 global handles. This can abort the Node.js process or corrupt memory when an async function consumes a Buffer or typed array across worker isolates. The fix gives each environment its own custom-GC handle so cross-thread drops are routed through the value's owning isolate.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range and your addon passes owned Buffer or TypedArray values into async functions that can be dropped off the owning JavaScript thread, typically under worker_threads.

Background info

napi is vulnerable to Use-After-Free in versions 2.10.0 - 3.9.4.

How to fix this

Upgrade the napi library to the patch version.